To secure Windows logon with Azure AD user accounts, you first need to set up MFA for Office 365 with WS-Federation.
In addition, the Office 365 application set up in your DualShield server must have 2 logon procedures, one for Web SSO and the other for Enhanced Client
The logon procedure for ECP must have one logon step with "Static Password" as its authentication method
User Experience
Troubleshooting Reference:
Troubleshoot hybrid Azure AD-joined devices